Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Do I need to open port 137 and 138 from members server to the trusted PDC emulator ?
Do I need to open port 137 and 138 from members server to the trusted PDC emulator ? [message #330992] Mon, 30 November 2009 03:05 Go to next message
Eric  is currently offline Eric  Netherlands
Messages: 130
Registered: July 2009
Senior Member
Hello,

We have several trusted domain in our company. Some of them are still
using Windows NT domain.
Every domain is trusted with the same Active Directory domain.

The trusts relationship are working correctly but we have a problem
with a specific trusted domain.

Indeed, when we are connected to a server member of this specific NT
domain, we cannot display users of our AD trusted domain.
We have an error "Cannot display objects from this location because of
the following error : The specified domain either does not exist or
could not be contacted"

And then if we open port 137/UDP and 138/UDP from the specific server
member of NT and the PDC EMULATOR of our AD domain, then it working.

I dont understand why in this specific situation I need to open those
ports as they are not needed for my other trusted NT domain.

Moreover this means I have to open those ports for every member server
to our PDC emulator which is not very clean in term of security.

Do you have any idea of the problem here ?
Is it a bad WINS configuration ? A computer browser specific
configuration ?

Thank you !

--
Eric
Re: Do I need to open port 137 and 138 from members server to the trusted PDC emulator ? [message #330993 is a reply to message #330992] Mon, 30 November 2009 03:08 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Eric,

You need them.

See here for all needed ports in a trust:
http://support.microsoft.com/kb/179442/

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello,
>
> We have several trusted domain in our company. Some of them are still
> using Windows NT domain.
> Every domain is trusted with the same Active Directory domain.
> The trusts relationship are working correctly but we have a problem
> with a specific trusted domain.
>
> Indeed, when we are connected to a server member of this specific NT
> domain, we cannot display users of our AD trusted domain.
> We have an error "Cannot display objects from this location because of
> the following error : The specified domain either does not exist or
> could not be contacted"
> And then if we open port 137/UDP and 138/UDP from the specific server
> member of NT and the PDC EMULATOR of our AD domain, then it working.
>
> I dont understand why in this specific situation I need to open those
> ports as they are not needed for my other trusted NT domain.
>
> Moreover this means I have to open those ports for every member server
> to our PDC emulator which is not very clean in term of security.
>
> Do you have any idea of the problem here ?
> Is it a bad WINS configuration ? A computer browser specific
> configuration ?
> Thank you !
>
Re: Do I need to open port 137 and 138 from members server to the trusted PDC emulator ? [message #331053 is a reply to message #330992] Mon, 30 November 2009 06:14 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Eric" <Eric_m@nospam.hotmail.com> wrote in message
news:mn.f2997d9bbf75aaee.70874@nospam.hotmail.com...
> Hello,
>
> We have several trusted domain in our company. Some of them are still
> using Windows NT domain.
> Every domain is trusted with the same Active Directory domain.
>
> The trusts relationship are working correctly but we have a problem with a
> specific trusted domain.
>
> Indeed, when we are connected to a server member of this specific NT
> domain, we cannot display users of our AD trusted domain.
> We have an error "Cannot display objects from this location because of the
> following error : The specified domain either does not exist or could not
> be contacted"
>
> And then if we open port 137/UDP and 138/UDP from the specific server
> member of NT and the PDC EMULATOR of our AD domain, then it working.
>
> I dont understand why in this specific situation I need to open those
> ports as they are not needed for my other trusted NT domain.
>
> Moreover this means I have to open those ports for every member server to
> our PDC emulator which is not very clean in term of security.
>
> Do you have any idea of the problem here ?
> Is it a bad WINS configuration ? A computer browser specific configuration
> ?
>
> Thank you !
>
> --
> Eric
>
>


As Meinolf stated, that's an absolute requirement with NT4. NT4 is NetBIOS
based, unlike AD which is DNS based. Also, if your ports are that tightened
down, you may be blocking other necessary ports that are required for
communications.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: Do I need to open port 137 and 138 from members server to the trusted PDC emulator ? [message #331061 is a reply to message #330992] Mon, 30 November 2009 06:21 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Those are required as Meinolf pointed out. The NetBios piece is what is
biting you.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Eric" <Eric_m@nospam.hotmail.com> wrote in message
news:mn.f2997d9bbf75aaee.70874@nospam.hotmail.com...
> Hello,
>
> We have several trusted domain in our company. Some of them are still
> using Windows NT domain.
> Every domain is trusted with the same Active Directory domain.
>
> The trusts relationship are working correctly but we have a problem with a
> specific trusted domain.
>
> Indeed, when we are connected to a server member of this specific NT
> domain, we cannot display users of our AD trusted domain.
> We have an error "Cannot display objects from this location because of the
> following error : The specified domain either does not exist or could not
> be contacted"
>
> And then if we open port 137/UDP and 138/UDP from the specific server
> member of NT and the PDC EMULATOR of our AD domain, then it working.
>
> I dont understand why in this specific situation I need to open those
> ports as they are not needed for my other trusted NT domain.
>
> Moreover this means I have to open those ports for every member server to
> our PDC emulator which is not very clean in term of security.
>
> Do you have any idea of the problem here ?
> Is it a bad WINS configuration ? A computer browser specific configuration
> ?
>
> Thank you !
>
> --
> Eric
>
>
Re: Do I need to open port 137 and 138 from members server to the trusted PDC emulator ? [message #331072 is a reply to message #330993] Mon, 30 November 2009 06:42 Go to previous messageGo to next message
Eric  is currently offline Eric  Netherlands
Messages: 130
Registered: July 2009
Senior Member
Hi,

thank you for your answer.

Are you agree that these port requirements are needed for MEMBER
Servers ?

When I read the KB, I understand that these ports needs to be opened
between PDC and DC but not between MEMBER servers and the PDC Emulator
of the trusted domain.

Thank you

> Hello Eric,
>
> You need them.
>
> See here for all needed ports in a trust:
> http://support.microsoft.com/kb/179442/
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>> Hello,
>>
>> We have several trusted domain in our company. Some of them are still
>> using Windows NT domain.
>> Every domain is trusted with the same Active Directory domain.
>> The trusts relationship are working correctly but we have a problem
>> with a specific trusted domain.
>>
>> Indeed, when we are connected to a server member of this specific NT
>> domain, we cannot display users of our AD trusted domain.
>> We have an error "Cannot display objects from this location because of
>> the following error : The specified domain either does not exist or
>> could not be contacted"
>> And then if we open port 137/UDP and 138/UDP from the specific server
>> member of NT and the PDC EMULATOR of our AD domain, then it working.
>>
>> I dont understand why in this specific situation I need to open those
>> ports as they are not needed for my other trusted NT domain.
>>
>> Moreover this means I have to open those ports for every member server
>> to our PDC emulator which is not very clean in term of security.
>>
>> Do you have any idea of the problem here ?
>> Is it a bad WINS configuration ? A computer browser specific
>> configuration ?
>> Thank you !
>>

--
Eric
Re: Do I need to open port 137 and 138 from members server to the trusted PDC emulator ? [message #331134 is a reply to message #331072] Mon, 30 November 2009 08:05 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Eric" <Eric_m@nospam.hotmail.com> wrote in message
news:mn.f3727d9bfdb343a2.70874@nospam.hotmail.com...
> Hi,
>
> thank you for your answer.
>
> Are you agree that these port requirements are needed for MEMBER Servers ?
>
> When I read the KB, I understand that these ports needs to be opened
> between PDC and DC but not between MEMBER servers and the PDC Emulator of
> the trusted domain.
>
> Thank you
>
>> Hello Eric,

If any clients are to resolve and connect to the resources on the NT4
machine, they will need NetBIOS opened.

Ace
Re: Do I need to open port 137 and 138 from members server to the trusted PDC emulator ? [message #331166 is a reply to message #331134] Mon, 30 November 2009 08:37 Go to previous messageGo to next message
Eric  is currently offline Eric  Netherlands
Messages: 130
Registered: July 2009
Senior Member
Actually they dont need to connect to the ressources on the NT4
machine.

I am using a Windows 2003 server member of a PDC NT4 domain.
The PDC NT4 domain is trusted (bidirectionnal trust) with an Active
Directory domain.

I want to list my AD domain users from my Windows 2003 server member of
my NT4 domain.

Perhaps I am wrong but in the KB quoted above, it seems that I need to
open only port 138/UDP.

Am I wrong ?

Thank you

> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
> news:mn.f3727d9bfdb343a2.70874@nospam.hotmail.com...
>> Hi,
>>
>> thank you for your answer.
>>
>> Are you agree that these port requirements are needed for MEMBER Servers ?
>>
>> When I read the KB, I understand that these ports needs to be opened
>> between PDC and DC but not between MEMBER servers and the PDC Emulator of
>> the trusted domain.
>>
>> Thank you
>>
>>> Hello Eric,
>
> If any clients are to resolve and connect to the resources on the NT4
> machine, they will need NetBIOS opened.
>
> Ace

--
Eric
Re: Do I need to open port 137 and 138 from members server to the trusted PDC emulator ? [message #331431 is a reply to message #331166] Mon, 30 November 2009 13:11 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Eric" <Eric_m@nospam.hotmail.com> wrote in message
news:mn.f3e57d9b81d673c0.70874@nospam.hotmail.com...
> Actually they dont need to connect to the ressources on the NT4 machine.
>
> I am using a Windows 2003 server member of a PDC NT4 domain.
> The PDC NT4 domain is trusted (bidirectionnal trust) with an Active
> Directory domain.
>
> I want to list my AD domain users from my Windows 2003 server member of my
> NT4 domain.
>
> Perhaps I am wrong but in the KB quoted above, it seems that I need to
> open only port 138/UDP.
>
> Am I wrong ?
>
> Thank you
>
>> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
>> news:mn.f3727d9bfdb343a2.70874@nospam.hotmail.com...
>>> Hi,
>>>
>>> thank you for your answer.
>>>
>>> Are you agree that these port requirements are needed for MEMBER Servers
>>> ?
>>>
>>> When I read the KB, I understand that these ports needs to be opened
>>> between PDC and DC but not between MEMBER servers and the PDC Emulator
>>> of the trusted domain.
>>>
>>> Thank you
>>>
>>>> Hello Eric,
>>
>> If any clients are to resolve and connect to the resources on the NT4
>> machine, they will need NetBIOS opened.
>>
>> Ace
>
> --
> Eric
>
>


You will also need 139 and all the UDP service response ports opened (also
known as emepheral ports: UDP 1024-5000 and if 2008 is involved, may as well
open the whole UDP range).

So what other ports have you not opened?

Also, can you elaborate on this sentence, please?
> I want to list my AD domain users from my Windows 2003 server member of my
> NT4 domain.

Where do you want to "list" the users on the NT4 side? In a resource (shared
permissions & security tab permissions or printer properties) or somewhere
else?

Ace
Re: Do I need to open port 137 and 138 from members server to the trusted PDC emulator ? [message #332194 is a reply to message #331431] Tue, 01 December 2009 09:05 Go to previous messageGo to next message
Eric  is currently offline Eric  Netherlands
Messages: 130
Registered: July 2009
Senior Member
> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
> news:mn.f3e57d9b81d673c0.70874@nospam.hotmail.com...
>> Actually they dont need to connect to the ressources on the NT4 machine.
>>
>> I am using a Windows 2003 server member of a PDC NT4 domain.
>> The PDC NT4 domain is trusted (bidirectionnal trust) with an Active
>> Directory domain.
>>
>> I want to list my AD domain users from my Windows 2003 server member of my
>> NT4 domain.
>>
>> Perhaps I am wrong but in the KB quoted above, it seems that I need to open
>> only port 138/UDP.
>>
>> Am I wrong ?
>>
>> Thank you
>>
>>> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
>>> news:mn.f3727d9bfdb343a2.70874@nospam.hotmail.com...
>>>> Hi,
>>>>
>>>> thank you for your answer.
>>>>
>>>> Are you agree that these port requirements are needed for MEMBER Servers
>>>> ?
>>>>
>>>> When I read the KB, I understand that these ports needs to be opened
>>>> between PDC and DC but not between MEMBER servers and the PDC Emulator of
>>>> the trusted domain.
>>>>
>>>> Thank you
>>>>
>>>>> Hello Eric,
>>>
>>> If any clients are to resolve and connect to the resources on the NT4
>>> machine, they will need NetBIOS opened.
>>>
>>> Ace
>>
>> -- Eric
>>
>>
>
>
> You will also need 139 and all the UDP service response ports opened (also
> known as emepheral ports: UDP 1024-5000 and if 2008 is involved, may as well
> open the whole UDP range).
>
> So what other ports have you not opened?
>
> Also, can you elaborate on this sentence, please?
>> I want to list my AD domain users from my Windows 2003 server member of my
>> NT4 domain.
>
> Where do you want to "list" the users on the NT4 side? In a resource (shared
> permissions & security tab permissions or printer properties) or somewhere
> else?
>
> Ace

Thank you Ace.

I am really not sure that I need to open all these ports and I am also
not sure with the KB about the need to open 138/UDP port.

Indeed, we have another site with exactly the same configuration BUT
there is no open port between member servers of the remote site (in NT
domain) and the PDC emulator (in our AD local site) and if I use
Wireshark from the member server or watch the denied trafic from my
firewall, I dont see any 137/138 or 139 ports connections attempts
and/or denied.

So, I can confirm that there is no need to open those ports if I want
to list users of my AD domain from a server member of the NT domain. As
you said, I am trying to display the AD users from the security tab
permissions of a server member of the NT domain.

Now, It seems to be a problem with my Active Directory.
Indeed, if I connect to two local DC (in the site where the NT domain
is installed), and I launch the command : nltest /sc_query:NT_Domain I
have the following error : "Trusted DC Connection Status Status = 5 0x5
ERROR_ACCESS_DENIED"

BUT if I launch this same command on a third local DC, recently
installed, I have the message "Trusted DC Connection Status Status = 0
0x0 NERR_Success"

When I use wireshark on my client while accessing to the Security Tab,
I can see that it is pointing to one of the bad DCs.
I would like to told my member server to point to the newly installed
DC.
I have edited the lmhost file on the member server but the problem
remains.

Thank you

--
Eric
Re: Do I need to open port 137 and 138 from members server to the trusted PDC emulator ? [message #332376 is a reply to message #332194] Tue, 01 December 2009 11:57 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Eric" <Eric_m@nospam.hotmail.com> wrote in message
news:mn.0c017d9c75c1befe.70874@nospam.hotmail.com...
>> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
>> news:mn.f3e57d9b81d673c0.70874@nospam.hotmail.com...
>>> Actually they dont need to connect to the ressources on the NT4 machine.
>>>
>>> I am using a Windows 2003 server member of a PDC NT4 domain.
>>> The PDC NT4 domain is trusted (bidirectionnal trust) with an Active
>>> Directory domain.
>>>
>>> I want to list my AD domain users from my Windows 2003 server member of
>>> my NT4 domain.
>>>
>>> Perhaps I am wrong but in the KB quoted above, it seems that I need to
>>> open only port 138/UDP.
>>>
>>> Am I wrong ?
>>>
>>> Thank you
>>>
>>>> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
>>>> news:mn.f3727d9bfdb343a2.70874@nospam.hotmail.com...
>>>>> Hi,
>>>>>
>>>>> thank you for your answer.
>>>>>
>>>>> Are you agree that these port requirements are needed for MEMBER
>>>>> Servers ?
>>>>>
>>>>> When I read the KB, I understand that these ports needs to be opened
>>>>> between PDC and DC but not between MEMBER servers and the PDC Emulator
>>>>> of the trusted domain.
>>>>>
>>>>> Thank you
>>>>>
>>>>>> Hello Eric,
>>>>
>>>> If any clients are to resolve and connect to the resources on the NT4
>>>> machine, they will need NetBIOS opened.
>>>>
>>>> Ace
>>>
>>> -- Eric
>>>
>>>
>>
>>
>> You will also need 139 and all the UDP service response ports opened
>> (also known as emepheral ports: UDP 1024-5000 and if 2008 is involved,
>> may as well open the whole UDP range).
>>
>> So what other ports have you not opened?
>>
>> Also, can you elaborate on this sentence, please?
>>> I want to list my AD domain users from my Windows 2003 server member of
>>> my NT4 domain.
>>
>> Where do you want to "list" the users on the NT4 side? In a resource
>> (shared permissions & security tab permissions or printer properties) or
>> somewhere else?
>>
>> Ace
>
> Thank you Ace.
>
> I am really not sure that I need to open all these ports and I am also not
> sure with the KB about the need to open 138/UDP port.
>
> Indeed, we have another site with exactly the same configuration BUT there
> is no open port between member servers of the remote site (in NT domain)
> and the PDC emulator (in our AD local site) and if I use Wireshark from
> the member server or watch the denied trafic from my firewall, I dont see
> any 137/138 or 139 ports connections attempts and/or denied.

This is while trying to connect to a resource on the NT4 side from a client
on the AD side?


> So, I can confirm that there is no need to open those ports if I want to
> list users of my AD domain from a server member of the NT domain. As you
> said, I am trying to display the AD users from the security tab
> permissions of a server member of the NT domain.

In that case, it's using pass-through authentication through it's own domain
controller across the trust.

> Now, It seems to be a problem with my Active Directory.
> Indeed, if I connect to two local DC (in the site where the NT domain is
> installed), and I launch the command : nltest /sc_query:NT_Domain I have
> the following error : "Trusted DC Connection Status Status = 5 0x5
> ERROR_ACCESS_DENIED"

Then that could mean that you have SMB signing and may need to be disabled
on each DC to allow legacy, backward level NTLM authentication, which
doesn't support SMB Signing.

To disable it, go to the Domain Controller Local Security Policy (in
Administrative Tools), then to "Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options." You will see:

Microsoft network server: Digitally sign communications (always) Policy
Setting: enabled
Microsoft network server: Digitally sign communications (if client agrees)
Policy Setting: enabled

Disable both.

>
> BUT if I launch this same command on a third local DC, recently installed,
> I have the message "Trusted DC Connection Status Status = 0 0x0
> NERR_Success"

But I can't see how a freshly installed 2003 DC will allow communication. So
that leads me to believe either there is a security policy on the older DCs
preventing communication, or it was disabled on the new one, or firewall
rules are preventing it.

>
> When I use wireshark on my client while accessing to the Security Tab, I
> can see that it is pointing to one of the bad DCs.
> I would like to told my member server to point to the newly installed DC.
> I have edited the lmhost file on the member server but the problem
> remains.

It depends on how you edited the lmhosts file. Can you specify exactly what
entry you gave it? Did you follow the following KB?

Trust between a Windows NT domain and an Active Directory domain cannot be
established or it does not work as expected
http://support.microsoft.com/kb/889030/en-us

Here's Paul's article on it:

NT4 / AD Trust ConfigurationAll trust communication traffic flows between
the Windows 2003 PDCe and the PDC. It doesn't matter how you have your
LMHosts table setup or your firewall ...
www.pbbergs.com/windows/articles/firewall_trust.html


>
> Thank you
>
> --
> Eric
>
>

FYI, anytime I see firewall rules are made between organizations and there's
a trust involved, I've always encountered errors. I can tell you how many
times I've seen these issues from my students asking me what is wrong and
what needs to be opened, to customers that I try to troubleshoot trusts when
their corp security policy dictates that only certain ports need to be
opened. I've spent time after time, hours upon hours to capture and read
netmon captures to determine the issue, and the solution is not always the
same. I've never seen problems where the ports are left wide open, and it's
funny, the captures I see are not from the machine to a DC on the other side
of the trust, rather they go to their own DC, which performs the
pass-through. So if the firewalls are blocking any of the DCs with necessary
ports, that will cause it. Like I said, you have a task at hand to read your
captures and not only on member servers, rather between the DCs themselves
across the trust.


I hope that helps.

Ace
Re: Do I need to open port 137 and 138 from members server to the trusted PDC emulator ? [message #337175 is a reply to message #332376] Mon, 07 December 2009 02:50 Go to previous messageGo to next message
Eric  is currently offline Eric  Netherlands
Messages: 130
Registered: July 2009
Senior Member
> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
> news:mn.0c017d9c75c1befe.70874@nospam.hotmail.com...
>>> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
>>> news:mn.f3e57d9b81d673c0.70874@nospam.hotmail.com...
>>>> Actually they dont need to connect to the ressources on the NT4 machine.
>>>>
>>>> I am using a Windows 2003 server member of a PDC NT4 domain.
>>>> The PDC NT4 domain is trusted (bidirectionnal trust) with an Active
>>>> Directory domain.
>>>>
>>>> I want to list my AD domain users from my Windows 2003 server member of
>>>> my NT4 domain.
>>>>
>>>> Perhaps I am wrong but in the KB quoted above, it seems that I need to
>>>> open only port 138/UDP.
>>>>
>>>> Am I wrong ?
>>>>
>>>> Thank you
>>>>
>>>>> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
>>>>> news:mn.f3727d9bfdb343a2.70874@nospam.hotmail.com...
>>>>>> Hi,
>>>>>>
>>>>>> thank you for your answer.
>>>>>>
>>>>>> Are you agree that these port requirements are needed for MEMBER
>>>>>> Servers ?
>>>>>>
>>>>>> When I read the KB, I understand that these ports needs to be opened
>>>>>> between PDC and DC but not between MEMBER servers and the PDC Emulator
>>>>>> of the trusted domain.
>>>>>>
>>>>>> Thank you
>>>>>>
>>>>>>> Hello Eric,
>>>>>
>>>>> If any clients are to resolve and connect to the resources on the NT4
>>>>> machine, they will need NetBIOS opened.
>>>>>
>>>>> Ace
>>>>
>>>> -- Eric
>>>>
>>>>
>>>
>>>
>>> You will also need 139 and all the UDP service response ports opened (also
>>> known as emepheral ports: UDP 1024-5000 and if 2008 is involved, may as
>>> well open the whole UDP range).
>>>
>>> So what other ports have you not opened?
>>>
>>> Also, can you elaborate on this sentence, please?
>>>> I want to list my AD domain users from my Windows 2003 server member of
>>>> my NT4 domain.
>>>
>>> Where do you want to "list" the users on the NT4 side? In a resource
>>> (shared permissions & security tab permissions or printer properties) or
>>> somewhere else?
>>>
>>> Ace
>>
>> Thank you Ace.
>>
>> I am really not sure that I need to open all these ports and I am also not
>> sure with the KB about the need to open 138/UDP port.
>>
>> Indeed, we have another site with exactly the same configuration BUT there
>> is no open port between member servers of the remote site (in NT domain)
>> and the PDC emulator (in our AD local site) and if I use Wireshark from the
>> member server or watch the denied trafic from my firewall, I dont see any
>> 137/138 or 139 ports connections attempts and/or denied.
>
> This is while trying to connect to a resource on the NT4 side from a client
> on the AD side?
>
>
>> So, I can confirm that there is no need to open those ports if I want to
>> list users of my AD domain from a server member of the NT domain. As you
>> said, I am trying to display the AD users from the security tab permissions
>> of a server member of the NT domain.
>
> In that case, it's using pass-through authentication through it's own domain
> controller across the trust.
>
>> Now, It seems to be a problem with my Active Directory.
>> Indeed, if I connect to two local DC (in the site where the NT domain is
>> installed), and I launch the command : nltest /sc_query:NT_Domain I have
>> the following error : "Trusted DC Connection Status Status = 5 0x5
>> ERROR_ACCESS_DENIED"
>
> Then that could mean that you have SMB signing and may need to be disabled on
> each DC to allow legacy, backward level NTLM authentication, which doesn't
> support SMB Signing.
>
> To disable it, go to the Domain Controller Local Security Policy (in
> Administrative Tools), then to "Computer Configuration\Windows
> Settings\Security Settings\Local Policies\Security Options." You will see:
>
> Microsoft network server: Digitally sign communications (always) Policy
> Setting: enabled
> Microsoft network server: Digitally sign communications (if client agrees)
> Policy Setting: enabled
>
> Disable both.
>
>>
>> BUT if I launch this same command on a third local DC, recently installed,
>> I have the message "Trusted DC Connection Status Status = 0 0x0
>> NERR_Success"
>
> But I can't see how a freshly installed 2003 DC will allow communication. So
> that leads me to believe either there is a security policy on the older DCs
> preventing communication, or it was disabled on the new one, or firewall
> rules are preventing it.
>
>>
>> When I use wireshark on my client while accessing to the Security Tab, I
>> can see that it is pointing to one of the bad DCs.
>> I would like to told my member server to point to the newly installed DC.
>> I have edited the lmhost file on the member server but the problem remains.
>
> It depends on how you edited the lmhosts file. Can you specify exactly what
> entry you gave it? Did you follow the following KB?
>
> Trust between a Windows NT domain and an Active Directory domain cannot be
> established or it does not work as expected
> http://support.microsoft.com/kb/889030/en-us
>
> Here's Paul's article on it:
>
> NT4 / AD Trust ConfigurationAll trust communication traffic flows between the
> Windows 2003 PDCe and the PDC. It doesn't matter how you have your LMHosts
> table setup or your firewall ...
> www.pbbergs.com/windows/articles/firewall_trust.html
>
>
>>
>> Thank you
>>
>> -- Eric
>>
>>
>
> FYI, anytime I see firewall rules are made between organizations and there's
> a trust involved, I've always encountered errors. I can tell you how many
> times I've seen these issues from my students asking me what is wrong and
> what needs to be opened, to customers that I try to troubleshoot trusts when
> their corp security policy dictates that only certain ports need to be
> opened. I've spent time after time, hours upon hours to capture and read
> netmon captures to determine the issue, and the solution is not always the
> same. I've never seen problems where the ports are left wide open, and it's
> funny, the captures I see are not from the machine to a DC on the other side
> of the trust, rather they go to their own DC, which performs the
> pass-through. So if the firewalls are blocking any of the DCs with necessary
> ports, that will cause it. Like I said, you have a task at hand to read your
> captures and not only on member servers, rather between the DCs themselves
> across the trust.
>
>
> I hope that helps.
>
> Ace

Thank you Ace.

Finally I solved the problem !
I created a new domain controller and demoted the old one and the
problem has been solved.

I didnt have to open 138/UDP port (and neither any netbios port between
my servers member of NT domain to my DC) like it is written in the KB
quoted above.

From the old DC I had this error with nltest : Trusted DC Connection
Status Status = 5 0x5 ERROR_ACCESS_DENIED

From the new DC : Trusted DC Connection Status Status = 0 0x0
NERR_Success

Hope this help :)

--
Eric
Re: Do I need to open port 137 and 138 from members server to the trusted PDC emulator ? [message #337384 is a reply to message #337175] Mon, 07 December 2009 09:42 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Eric" <Eric_m@nospam.hotmail.com> wrote in message
news:mn.3a8a7d9cf751d584.70874@nospam.hotmail.com...
>> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
>> news:mn.0c017d9c75c1befe.70874@nospam.hotmail.com...
>>>> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
>>>> news:mn.f3e57d9b81d673c0.70874@nospam.hotmail.com...
>>>>> Actually they dont need to connect to the ressources on the NT4
>>>>> machine.
>>>>>
>>>>> I am using a Windows 2003 server member of a PDC NT4 domain.
>>>>> The PDC NT4 domain is trusted (bidirectionnal trust) with an Active
>>>>> Directory domain.
>>>>>
>>>>> I want to list my AD domain users from my Windows 2003 server member
>>>>> of my NT4 domain.
>>>>>
>>>>> Perhaps I am wrong but in the KB quoted above, it seems that I need to
>>>>> open only port 138/UDP.
>>>>>
>>>>> Am I wrong ?
>>>>>
>>>>> Thank you
>>>>>
>>>>>> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
>>>>>> news:mn.f3727d9bfdb343a2.70874@nospam.hotmail.com...
>>>>>>> Hi,
>>>>>>>
>>>>>>> thank you for your answer.
>>>>>>>
>>>>>>> Are you agree that these port requirements are needed for MEMBER
>>>>>>> Servers ?
>>>>>>>
>>>>>>> When I read the KB, I understand that these ports needs to be opened
>>>>>>> between PDC and DC but not between MEMBER servers and the PDC
>>>>>>> Emulator of the trusted domain.
>>>>>>>
>>>>>>> Thank you
>>>>>>>
>>>>>>>> Hello Eric,
>>>>>>
>>>>>> If any clients are to resolve and connect to the resources on the NT4
>>>>>> machine, they will need NetBIOS opened.
>>>>>>
>>>>>> Ace
>>>>>
>>>>> -- Eric
>>>>>
>>>>>
>>>>
>>>>
>>>> You will also need 139 and all the UDP service response ports opened
>>>> (also known as emepheral ports: UDP 1024-5000 and if 2008 is involved,
>>>> may as well open the whole UDP range).
>>>>
>>>> So what other ports have you not opened?
>>>>
>>>> Also, can you elaborate on this sentence, please?
>>>>> I want to list my AD domain users from my Windows 2003 server member
>>>>> of my NT4 domain.
>>>>
>>>> Where do you want to "list" the users on the NT4 side? In a resource
>>>> (shared permissions & security tab permissions or printer properties)
>>>> or somewhere else?
>>>>
>>>> Ace
>>>
>>> Thank you Ace.
>>>
>>> I am really not sure that I need to open all these ports and I am also
>>> not sure with the KB about the need to open 138/UDP port.
>>>
>>> Indeed, we have another site with exactly the same configuration BUT
>>> there is no open port between member servers of the remote site (in NT
>>> domain) and the PDC emulator (in our AD local site) and if I use
>>> Wireshark from the member server or watch the denied trafic from my
>>> firewall, I dont see any 137/138 or 139 ports connections attempts
>>> and/or denied.
>>
>> This is while trying to connect to a resource on the NT4 side from a
>> client on the AD side?
>>
>>
>>> So, I can confirm that there is no need to open those ports if I want to
>>> list users of my AD domain from a server member of the NT domain. As you
>>> said, I am trying to display the AD users from the security tab
>>> permissions of a server member of the NT domain.
>>
>> In that case, it's using pass-through authentication through it's own
>> domain controller across the trust.
>>
>>> Now, It seems to be a problem with my Active Directory.
>>> Indeed, if I connect to two local DC (in the site where the NT domain is
>>> installed), and I launch the command : nltest /sc_query:NT_Domain I have
>>> the following error : "Trusted DC Connection Status Status = 5 0x5
>>> ERROR_ACCESS_DENIED"
>>
>> Then that could mean that you have SMB signing and may need to be
>> disabled on each DC to allow legacy, backward level NTLM authentication,
>> which doesn't support SMB Signing.
>>
>> To disable it, go to the Domain Controller Local Security Policy (in
>> Administrative Tools), then to "Computer Configuration\Windows
>> Settings\Security Settings\Local Policies\Security Options." You will
>> see:
>>
>> Microsoft network server: Digitally sign communications (always) Policy
>> Setting: enabled
>> Microsoft network server: Digitally sign communications (if client
>> agrees) Policy Setting: enabled
>>
>> Disable both.
>>
>>>
>>> BUT if I launch this same command on a third local DC, recently
>>> installed, I have the message "Trusted DC Connection Status Status = 0
>>> 0x0 NERR_Success"
>>
>> But I can't see how a freshly installed 2003 DC will allow communication.
>> So that leads me to believe either there is a security policy on the
>> older DCs preventing communication, or it was disabled on the new one, or
>> firewall rules are preventing it.
>>
>>>
>>> When I use wireshark on my client while accessing to the Security Tab, I
>>> can see that it is pointing to one of the bad DCs.
>>> I would like to told my member server to point to the newly installed
>>> DC.
>>> I have edited the lmhost file on the member server but the problem
>>> remains.
>>
>> It depends on how you edited the lmhosts file. Can you specify exactly
>> what entry you gave it? Did you follow the following KB?
>>
>> Trust between a Windows NT domain and an Active Directory domain cannot
>> be established or it does not work as expected
>> http://support.microsoft.com/kb/889030/en-us
>>
>> Here's Paul's article on it:
>>
>> NT4 / AD Trust ConfigurationAll trust communication traffic flows between
>> the Windows 2003 PDCe and the PDC. It doesn't matter how you have your
>> LMHosts table setup or your firewall ...
>> www.pbbergs.com/windows/articles/firewall_trust.html
>>
>>
>>>
>>> Thank you
>>>
>>> -- Eric
>>>
>>>
>>
>> FYI, anytime I see firewall rules are made between organizations and
>> there's a trust involved, I've always encountered errors. I can tell you
>> how many times I've seen these issues from my students asking me what is
>> wrong and what needs to be opened, to customers that I try to
>> troubleshoot trusts when their corp security policy dictates that only
>> certain ports need to be opened. I've spent time after time, hours upon
>> hours to capture and read netmon captures to determine the issue, and the
>> solution is not always the same. I've never seen problems where the ports
>> are left wide open, and it's funny, the captures I see are not from the
>> machine to a DC on the other side of the trust, rather they go to their
>> own DC, which performs the pass-through. So if the firewalls are blocking
>> any of the DCs with necessary ports, that will cause it. Like I said, you
>> have a task at hand to read your captures and not only on member servers,
>> rather between the DCs themselves across the trust.
>>
>>
>> I hope that helps.
>>
>> Ace
>
> Thank you Ace.
>
> Finally I solved the problem !
> I created a new domain controller and demoted the old one and the problem
> has been solved.
>
> I didnt have to open 138/UDP port (and neither any netbios port between my
> servers member of NT domain to my DC) like it is written in the KB quoted
> above.
>
> From the old DC I had this error with nltest : Trusted DC Connection
> Status Status = 5 0x5 ERROR_ACCESS_DENIED
>
> From the new DC : Trusted DC Connection Status Status = 0 0x0 NERR_Success
>
> Hope this help :)
>
> --
> Eric
>
>


Hmm, so there was a problem with the machine? I wonder what it was. But I am
glad that you figured it out and got it working!!

Ace
Previous Topic:convert Query based DL to Normal DL
Next Topic:Re: Domain Controller Multiple NIC DNS problem
Goto Forum:
  


Current Time: Fri Jan 19 00:44:27 MST 2018

Total time taken to generate the page: 0.03240 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software